Touch ID Integration with SAML Authentication

SAP released iOS SDK for SAP Cloud Platform about 3 weeks back. The SDK is tightly integrated with SAP Cloud Platform and provides the Authentication (oAuth/SAML/Basic/X509 Certificate) , Offline oData, Push Notifications, Fiori Controls, Secure Storage Logging etc. This blog explains how to integrate Touch ID with SAML based authentication using SAP iOS SDK for SAP Cloud Platform.

Logon to SAP Mobile Service for Development and Operations portal.

• Create an Application with Form Based Authentication for SAML

• Use Application-Application SSO for connection to backend for the demo oData service provided by default in the account /mobileservices/Admin/ESPM.svc/

• Generate the application using iOS Assistant. In the SAPcpms screen, click on Use Existing Tab, and select the application created in Steps 2 above.

• The generated project will be opened in XCode.
• Open the file /ViewControllers/SAMLAuthViewController.swift, function ViewDidLoad()
• 
• It calls 2 functions, SetUpAuthenticator() and sendRequest().
• 
• The iOS SDK includes convenient APIs for sending a SAML request, act on the authentication challenge and resend the request when authentication is successful.SAML Authentication protocol is explained in detailed here.The SAP Identity provider login page that is displayed on launching the application is handled by SAMLAuthenticator. Upon receiving a SAML authentication challenge in response header, SAMLAuthenticator uses a web view to present the login page. After the user enters the credential and taps/clicks on the logon button, it sends a request to SAP IdP with user credentials and after successful logon, resends the original request. The response to this request is then handled by SAPUrlSession.dataTask() method which only dumps the contents of the response in console and set the SAPURLSession instance as the AppDelegate’s session object instance. SAPURLSession.dataTask() is a convenient method which bypasses calls for response and data delivery.In the sendrequest() method, a request is send for ‘SalesOrderHeader’ entity set. The response to the request is handled in the convenient method dataTask() provided by the SDK. This convenient method bypasses the normal calls for response and data delivery.Note that data fetched by this request is actually not utilised anywhere. The request is used just to trigger logon to the server.
• 
  

• Enable Touch ID Authentication

• Apple iOS SDK provides LocalAuthentication module to request authentication from user though passphrases or biometrics.
• 
• Comment out the viewDidLoad() method and create a new method as shown above. Touch ID is only available from iOS 8 & OSX 10.12 onwards so first a check against the system is done. Next it is checked whether Touch ID is enabled or not.LAContent.evaluatePolicy() method presents the Touch ID dialog to the user and if the user authenticates successfully, the earlier SAML based authentication is triggered. Else, nothing happens, but in real work you would like to track the no of times the authentication failed and maybe after few tries lock the application out.Run the project in the Simulator. You should a blank screen after application launches. The Touch ID  needs to be enrolled for the device. In Simulator menu, go to Hardware>Touch ID>Toggle Enrolled State. Stop the application and run it again.

Provide a Matching touch, go to Hardware>Touch ID>Matching Touch. SAP IdP Logon page is presented. Provide the credentials and select ‘Remember Me’ checkbox.

The session cookie OR the certificate thus issued are stored locally, maybe using SecureStorage APIs provided with SDK and the user need not enter the credentials from next time onwards. I suppose SAMLAuthenticator class fetches the credentials from SecureStorage and presents it for SAML Authentication.

After Successful authentication, list of EntitySet is displayed.

Exit the application OR restart the Simulator and Launch the application again. Now after Touch ID authentication, the logon to SAP IdP is triggered automatically (user only sees page transitions) and the user is presented with first view in the application.

This way the user can authenticate himself/herself using biometrics and does not need to provide credentials every time the application is launched.

The locally stored credentials work even after changing the SAP IdP password. Also, the credentials work after restarting the Device. So, I think either of the following is true:

1. The session cookie issued by the default SAP IdP has a long expiring date (or never expires).
2. The SAP IdP is issuing a certificate with long validity (certificate validity is generally kept for a long time for ex. 1 year).